It's needed to be configured on environments like our CI, because of low
cpu/network resources proxysql marks healthy nodes as OFFLINE_HARD

Change-Id: I6d1e9e77abc48d82ffd6ade33997c83bb601b0eb
(cherry picked from commit 1fbb299d)

This patch ads an ability to receive TLS connections
to ProxySQL. Certificates and variable lookups are
added in order for TLS to be enabled by
<project_name>_database_internal_tls_enable.
Note that in order for this to work, mysql
connection strings need to have TLS enabled,
which can be added in separate per-service patches

Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b

This commit adds TLS connection between ProxySQL and MariaDB.
Frontend TLS ( between services and ProxySQL) will be
added in another commit.

Parialy Implements: mariadb-ssl-support

Change-Id: I154cbb096469c5515c9d8156c2c1c5dd07b95849
Signed-off-by: Matus Jenca <matus.jenca@dnation.cloud>

In single-node clusters, ProxySQL shuns the server on MySQL
errors, causing failures during upgrades or container restarts.
This change increases the timeout to 10 seconds, allowing
the backend time to recover and preventing immediate errors
in CI environments.

Change-Id: I70becdc3fcb4ca8f7ae31d26097d95bdc6dd67eb

This update enhances the monitoring of the databasecluster
in ProxySQL. The default monitoring intervals were insufficient
for reliably detecting failures in the Galera cluster environment.

A detailed configuration for monitoring intervals has been
introduced, providing better control over how quickly and accurately
ProxySQL can identify issues.

  - Variables such as `mariadb_monitor_connect_interval`,
    `mariadb_monitor_galera_healthcheck_interval, and
    `mariadb_monitor_ping_interval` significantly reduce
    the time between connection checks.

  - Timeouts like `mariadb_monitor_galera_healthcheck_timeout`
    and `mariadb_monitor_ping_timeout` allow faster failure
    detection, while `mariadb_monitor_galera_healthcheck_max_timeout_count`
    sets the maximum number of allowed timeouts before marking a node as down.

Calculation:

 - Galera healthcheck:

   4 seconds (interval) + 1 second (timeout) + 4 seconds (interval)
   + 1 second (timeout) = 10 seconds.

 - Ping healthcheck:

   3 seconds (interval) + 2 seconds (timeout) + 3 seconds (interval)
   + 2 seconds (timeout) = 10 seconds.

Both the health check and ping check mechanisms will detect a node failure
within a maximum of 10 seconds. Both processes (health check and ping)
operate independently, and failure in either mechanism will mark the node
as failed.

Health Check Failure Detection: Up to 10 seconds.
Ping Failure Detection: Up to 10 seconds.
Connect Attempts: ProxySQL also tries to connect every 2 seconds, which
helps monitor connectivity.

These changes ensure that ProxySQL can detect issues in 10 seconds
as haproxy, significantly reducing downtime compared to default settings.
This adjustment enables faster and more reliable monitoring, improving system
stability and reducing potential downtime in production environments.

Change-Id: Ic28801519cdb35ed2387a1468b9df661847a5476

The ProxySQL startup script was incorrectly using
the `--reload` flag, which only reloads/merges the configuration
without initializing the database from the config file [1]. This
change corrects it to use the `--initial` flag, ensuring that
the database is always reloaded from the configuration at startup.

[1] https://proxysql.com/documentation/configuring-proxysql/#initialstartup

Change-Id: I9cc721555a6d19409b6ac24432b6b34a83efc42c

This patch resolves an issue where ProxySQL could not
bind due to incorrectly formatted IPv6 addresses in the
`mysql_ifaces` configuration. The kolla's
`put_address_in_context` filter is now used, ensuring
the addresses are properly enclosed in square brackets
for correct binding.

Closes-Bug: #2081106
Change-Id: Ic166b8d9a500023c8d23ec9fee03b28b268b26e7

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

The --reload parameter ensures that any changes
in the proxysql configuration file are applied
to the already existing internal proxysql database.

Change-Id: I9215d6cef3795030676c44a8184d99ba46dcb60c

Commit [1] introduced a bug into kolla-ansible
where there is incorrect indentation in the haproxy
configuration file. This patch fixes it.

[1] https://github.com/openstack/kolla-ansible/commit/b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f

Closes-Bug: #2080034
Change-Id: I3375e303bc358fc79d1fa2e219e6ec1dba7a38ba

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

-f configdir has been supported in HaProxy since 1.7

Partial-Bug: #2048130
Change-Id: Icb95cb072cb3eb5c27ffd79a127069bfcf21a61a

HAProxy exposes a Prometheus metrics endpoint, it just needs to be
enabled. Enable this and remove configuration for
prometheus-haproxy-exporter. Remaining prometheus-haproxy-exporter
containers will automatically be removed.

Change-Id: If6e75691d2a996b06a9b95cb0aae772db54389fb
Co-Authored-By: Matt Anson <matta@stackhpc.com>

I35317ea0343f0db74ddc0e587862e95408e9e106 changed certificate path but omitted
single frontend template.

Change-Id: I638ba32e97234900745df62056710dcc37e7db77

Add support for automatic provisioning and renewal of HTTPS
certificates via LetsEncrypt.

Spec is available at:
https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https

Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347


Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Implements: blueprint letsencrypt-https
Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106

Threads are the recommended way to scale CPU performance since HAProxy
1.8.

Official documentation says: « While "nbproc" historically used to be the only
way to use multiple processors, it also involved a number of shortcomings
related to the lack of synchronization between processes (health-checks, peers,
stick-tables, stats, ...) which do not affect threads. As such, any modern
configuration is strongly encouraged to migrate away from "nbproc" to
"nbthread". ».

Change-Id: I6f2e9d74e68703c8e0827e495945a75f020e1561

The directive used has the same semantic as what is done above for nbproc > 1:
it binds each thread to a CPU. It is simpler and does not require a loop because
it uses the auto: syntax available in HAProxy 2.4.

Change-Id: I1ce124b678140f5f4737df557683bb67bc7cfc66

Threads are the recommended way to scale CPU performance since HAProxy
1.8.

Official documentation says: « While "nbproc" historically used to be the only
way to use multiple processors, it also involved a number of shortcomings
related to the lack of synchronization between processes (health-checks, peers,
stick-tables, stats, ...) which do not affect threads. As such, any modern
configuration is strongly encouraged to migrate away from "nbproc" to
"nbthread". ».

While more recent versions of HAProxy automatically detect the number of
available CPU and enable threads for them, it can be useful to explicitely set
the value.

In this patch, setting cpu-map for threads is not supported.

Change-Id: Id917c70f3dbe52f24f25d9403ba8151729e8966b

Use case: exposing single external https frontend and
load balancing services using FQDNs.

Support different ports for internal and external endpoints.

Introduced kolla_url filter to normalize urls like:
- https://magnum.external:443/v1
- http://magnum.external:80/v1



Change-Id: I9fb03fe1cebce5c7198d523e015280c69f139cd0
Co-Authored-By: Jakub Darmach <jakub@stackhpc.com>

We've seen issues in CI when keepalived haproxy check script returns
an error and keepalived is switching to backup and then again to primary
on a single node environment.

Closes-Bug: #2025219

Change-Id: Iba62e76b3cf83f3ade6df81288d2d77129ffc725

Related-Bug: #2024554
Change-Id: Ie678d90f88034a079f3284ab5a509be24e8eb42b

By default ProxySQL's default value of max_replication_lag
is 0 which is in fact disabling this feature [1].
If it is greater than 0, ProxySQL will regularly monitor
replication lag and if it goes beyond the configured threshold
it will temporary shun the host until replication catches up.

This should be configurable via kolla-ansible as every
openstack deployment can be different in terms of network
delays, database load etc.. , so user should have option
to configure when database backend will be shunned.

[1] https://proxysql.com/documentation/main-runtime/

Change-Id: I66171638abc712cb84b380042f1d29f54c499e73

Kolla environment currently uses haproxy
to fullfill HA in mariadb. This patch
is switching haproxy to proxysql if enabled.

This patch is also replacing mariadb's user
'haproxy' with user 'monitor'. This replacement
has two reasons:
  - Use better name to "monitor" galera claster
    as there are two services using this user
    (HAProxy, ProxySQL)
  - Set password for monitor user as it's
    always better to use password then not use.
    Previous haproxy user didn't use password
    as it was historically not possible with
    haproxy and mariadb-clustercheck wasn't
    implemented.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/769385
Depends-On: https://review.opendev.org/c/openstack/kolla/+/765781
Depends-On: https://review.opendev.org/c/openstack/kolla/+/850656

Change-Id: I0edae33d982c2e3f3b5f34b3d5ad07a431162844

Allow operators to set haproxy socket to admin level.
This is done via the flag haproxy_socket_level_admin which
is set to "no" by default.

Closes-Bug: 1960215

Signed-off-by: Imran Hussain <ih@imranh.co.uk>
Change-Id: Ia0da89288d68f5803ace1934c013053f12343195

The check condition is similar to the previous if and it can be merged

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
Change-Id: I62213d91945de42ffc87ecad1e96fa4fc0760f10

For now role haproxy is maintaining haproxy
and keepalived. In follow-up changes there is also
proxysql added.

This patch is *only* renaming/moving stuff to more
prominent role loadbalancer, and moving also specific
templates to subdirectory.

This was done only to better diff in follow-up
changes.

Change-Id: I1d39d5bcaefc4016983bf267a2736b742cc3a555